Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Versions
Question
Why are sensor events report a future or past time in the Web Console?
- Example August 19 2022 when the event actually happened in July 5th 2022.
Answer
The sensor uses the time reported by the OS that is running the sensor to report the timestamp on events. If the system time is set incorrectly, the events in the console will reflect this time.
This can be verified by preforming one of the following.
- The backend_timestamp in devtools shows the time the event was ingested by the backend. This can be used to review the sensor logs to see if the timestamps around that time changed unexpectedly (e.g. went backwards, went way into the future).
- For Security Logs "Filter Current Log..." for Event ID 4616 (Source = Microsoft-Windows-Time-Service)
- For System Logs "Filter Current Log..." for Event ID 52 (Source = Time-Service), Event ID 129 (Source = Time-Service) and/or Event ID 1 (Source = Kernel-General)
These events will provide insight on if the NTP server was reachable along with if the time was adjusted and by how much.
Additional Notes
For physical systems a bad CMOS battery could cause the systems to be boot with incorrect time, most OS's will attempt to connect to a NTP server and adjust the time. The logs written before the time was updated by the NTP Server will be uploaded to the console causing the confusion.
Related Content
